17, Jul, 2019
CRITICAL VULNERABILITY FOUND IN AD INSERTER WORDPRESS PLUGIN
Ad inserter is a popular plugin for WordPress users. With this plugin, site administrators can easily manage ads on their websites.
On July 12, Wordfence team(Another popular security plugin for WordPress), discovered a vulnerability called RCE — Remote Code Execution in Ad inserter. This vulnerability can allow an attacker to run any arbitrary PHP code on the site.
The vulnerability was found in Ad preview module of the plugin where you can preview the ads position, size, etc. before publishing it. This action can only be executed by the WordPress administrators and to ensure this, the plugin writer used WordPress function ‘check_admin_referer()‘ which ensures that the action is being performed by the administrator.
Wordfence threat intelligence team who discovered this vulnerability said the ‘check_admin_referer()‘ function is not enough protection. check_admin_referer() is designed to protect against CSRF (Cross-site request forgery) and the way it ensures this is by checking if nonce (a one-time token) exists in the request.
In simple words, check_admin_referer() checks for a kind of OTP is in the request, if it finds the OTP, then it assumes that action is being executed by the admin. But this works only when OTP is provided to admin.
The vulnerability discovered in Ad inserter version 2.4.21 and below. So if you are using Ad inserter, make sure it’s up-to-date. If you are using Wordfence premium, you’re already protected (still update the plugin). If you are a Wordfence free user, you’ll receive the patch for this vulnerability after 30 days i.e. August 11.